TOR on Academic networks (problem)
michael.holstein at csuohio.edu
Wed May 17 16:57:31 UTC 2006
>>iptables -t nat -A POSTROUTING -p tcp -d <ip of journal> --dport 80 -j DNAT
>>--to-destination <ip of you webserver>
FreeBSD here, but I'll try something along those lines.
> Still, I would also agree that rejecting *:80 would be the best until
> this IP as authentication issue is resolved.
Since the /etc/hosts approach posions the DNS for clients, it now seems
the better (although not ideal) approach is to allow legitimate DNS
lookups, and then just blackhole the traffic. After 15 seconds, the
client will give up and pick another node.
In reality, what I should do is just get a new /24 and put all the
potentially bad stuff in there. Only problem is it'd be a subassignment
since ARIN dosen't do a /24, and that gives people a "higher" place to
complain. At least now, there's nobody besides us that folks can fuss at
(unless they want to try and whine to our routing peers and get laughed at).
In ~6 months of running an exit, this is the first time this has ever
been an issue .. so it hardly seems worth the effort .. but the
potential for getting into hot water involving the contracts with
publishers means I've got to do something.
More information about the tor-talk